MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56
SHA3-384 hash: 237bae0ef8ec5e2667eb5693a14c9bdb17bbb4d4ae809129d482623a2345577e96f1a2f799c91b43f00e0504b7d53da1
SHA1 hash: 5ede879f2ed996c35d9224d235735b21e11b0b21
MD5 hash: 3c1b65f5fafec8f500cd3cf84687f601
humanhash: victor-mississippi-triple-failed
File name:cmd.bat
Download: download sample
File size:635 bytes
First seen:2025-04-04 08:42:01 UTC
Last seen:Never
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:wb4u4XCG5ifYofh/ibfWfmWfEzflbfdfL8fOzffofoZjbfebffzf3f0Cf5ZfKsf0:wKXCIigoob+OWM9bFz8GzXoQZfGbXzvm
TLSH T1C5F09042B14E646052F75DD20CE10C756B6CC3C11F21E5FC6CAB9D58C02C4EBCF1A41A
Magika batch
Reporter abuse_ch
Tags:bat

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cmd.bat
Verdict:
Malicious activity
Analysis date:
2025-04-04 08:52:30 UTC
Tags:
loader evasion
Link:
https://app.any.run/tasks/ab69eab1-4325-4ad1-841e-b156cf6a0b6a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/533/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ef9da3855e5ec5240ddc88
Tags:
trojan shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Creating a process with a hidden window
Creating a file
Creating a window
DNS request
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67ef9b73b070fb3f945eb281/reports/8f8b83e0-8aa5-4c60-86be-3f6dc6ec7dd6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1656499
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Compiles code for process injection (via .Net compiler)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Sample uses process hollowing technique
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Silenttrinity Stager Msbuild Activity
Suricata IDS alerts for network traffic
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656499 Sample: cmd.bat Startdate: 04/04/2025 Architecture: WINDOWS Score: 100 35 pki-goog.l.google.com 2->35 37 ip-api.com 2->37 39 2 other IPs or domains 2->39 55 Suricata IDS alerts for network traffic 2->55 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 7 other signatures 2->61 9 cmd.exe 1 2->9         started        11 svchost.exe 1 1 2->11         started        signatures3 process4 dnsIp5 14 powershell.exe 14 22 9->14         started        19 conhost.exe 9->19         started        43 127.0.0.1 unknown unknown 11->43 process6 dnsIp7 45 92.255.85.66, 49681, 49682, 7777 SOVTEL-ASRU Russian Federation 14->45 31 C:\Users\user\AppData\...\oah0xnld.cmdline, Unicode 14->31 dropped 33 C:\Users\user\AppData\Local\...\oah0xnld.0.cs, C++ 14->33 dropped 47 Writes to foreign memory regions 14->47 49 Sample uses process hollowing technique 14->49 51 Compiles code for process injection (via .Net compiler) 14->51 53 Injects a PE file into a foreign processes 14->53 21 csc.exe 3 14->21         started        24 MSBuild.exe 15 2 14->24         started        file8 signatures9 process10 dnsIp11 29 C:\Users\user\AppData\Local\...\oah0xnld.dll, PE32 21->29 dropped 27 cvtres.exe 1 21->27         started        41 ip-api.com 208.95.112.1, 49683, 80 TUT-ASUS United States 24->41 file12 process13
Score:
2%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56/
Threat name:
Script-BAT.Downloader.FakeCaptcha
Create hunting rule
Status:
Malicious
First seen:
2025-04-03 21:20:41 UTC
File Type:
Text (Batch)
AV detection:
3 of 24 (12.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqqtpruzhxbzm3g7sgk4njivjrvf4zb7u74qxw6h4jjcmjx2tjla._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution
Link:
https://tria.ge/reports/250404-kl7p2awks5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Blocklisted process makes network request
Downloads MZ/PE file
Malware Config
Dropper Extraction:
http://92.255.85.66/a.mp4
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Batch (bat) bat cc2137c6993dc3966cdf9195c6a5154c6a5e643fa7f90bdbc7e2522626fa9a56

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3476003/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/533/

Comments